[Dshield] Korgo Infections at 50%

Dom De Vitto dom at DeVitto.com
Sat Jun 12 16:35:48 GMT 2004


This box would seem to be XP/2003, as it has 5000/udp open.

It also has SSH open, which is pretty rare on MS boxes (though far
from impossible), so I'd say it's a honeypot.

I guess the owner will be scanning you back next month,
when he does the same ! :-)

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom at devitto.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Where do you want to go today?  Same as every day.... Windows Update.

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Blake McNeill
Sent: Saturday, June 12, 2004 5:06 PM
To: General DShield Discussion List
Subject: [Dshield] Korgo Infections at 50%

I thought I'd return the favour of the 2050 systems which scanned my port
445 on June 10th (local date/time) and scan them back looking for worm
signatures in open ports. Of course since the scan was performed 1 am on
June 11 so some of the systems scanned are not the same system that scanned
me etc, but it is just an experiment and I'll live with the various
imperfections in order to get an idea as to what is out there.

Of the 2050 systems I found 605 systems (which responded to an ICMP ping).
Here is a rough break down of the interesting open ports I found (I scanned
for 36 TCP ports and 8 UDP ports).

396 - TCP Port 1025
367 - TCP Port 445
366 - TCP Port 5000
299 - TCP Port 113 (Korgo)
279 - TCP Port 3067 (Korgo)
271 - TCP Port 123
55 - TCP Port 22
40 - TCP Port 80
18 - TCP Port 21
16 - TCP Port 25
15 - TCP Port 1023 (Sasser.G)
10 - TCP Port 110
9 - TCP Port 5554 (Sasser)
9 - TCP Port 1022 (Sasser.G)
5 - TCP Port 9996 (Sasser)
5 - TCP Port 559
3 - TCP Port 4444 (MSBlast)
3 - TCP Port 1433
2 - TCP Port 8967 (Dabber)
1 - TCP Port 65506
1 - TCP Port 3127 - oh how the might have fallen

So roughly half of the systems I scanned showed a Korgo port signature
(113/3067).

One system was totally amazing for open ports (please tell me this is a
honey pot).
29 open TCP ports: 22, 25, 80, 110, 113, 119, 135, 139, 420, 445, 559, 1022,
1023, 1025, 1433, 2041, 2745, 3067, 3127, 4444, 5000, 5300, 6129, 8967,
9898, 9996, 9999, 28856, 65506
1 open UDP ports: 137

Blake
http://www.LinkLogger.com

_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list







More information about the list mailing list